Tired of Googling persistent XSS and being swamped with Stored XSS write-ups? Lets take a dive into what persistent XSS really means and how modern browsers try to prevent us from achieving it.

Modern web applications have outpaced traditional Cross-Site Scripting (XSS) techniques like stored XSS and iFrame traps, which falter against page navigation, X-Frame-Options headers, Content Security Policy, and EDR/AV detection. This talk explores why true persistent XSS is a complex challenge and introduces [REDACTED], a new open-source framework built to address these modern barriers.

We dive into the persistence problem, examining why simple framing no longer suffices in today’s browsers. Legacy tools like BeEF, while pioneering, rely on methods less effective against current browser standards and APIs. [REDACTED] builds on BeEF’s persistence foundation but takes a focus on making XSS a reliable vulnerability to exploit on red team engagements no matter the context, it integrates modern technologies, such as advanced DOM manipulation and lightweight payloads, to ensure stability and bypass defenses. [REDACTED] also introduces unique attacks, like live remote view, for real-time monitoring of infected web applications.

This session analyses legacy tool limitations and showcases [REDACTED]’s Command-and-Control functionality for red/purple team engagements. A live demo on a simulated banking app will highlight [REDACTED]’s innovative features, including its remote-view capability, and demonstrate its real-world impact. Attendees will understand why persistence remains a tough problem, how [REDACTED] redefines XSS exploitation, and why older approaches fall short, gaining a modern mental model for advanced attacks. Join us to rethink XSS and build on the legacy of tools like BeEF.